Date: Fri, 27 Dec 1996 16:49:34 -0700 (MST) From: Terry Lambert <terry@lambert.org> To: owensc@enc.edu (Charles Owens) Cc: hackers@freebsd.org Subject: Re: multi-group file access techniques (repost) Message-ID: <199612272349.QAA25559@phaeton.artisoft.com> In-Reply-To: <Pine.FBS.3.93.961226155435.24466E-100000@dingo.its.enc.edu> from "Charles Owens" at Dec 26, 96 03:57:42 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> I'm trying to grapple with the challenge of how to allow multiple groups > and users (but not everyone) to have access to a directory hierarchy. We > don't have ACL's in FreeBSD, so I'm finding it a bit tricky. > > Below is an example of what I need to do. If you have any insights, > alternate approaches, please let me know! 1) Modify the VOP_ADVLOCK to be veto-based 2) Modify the VOP_LOCK code to be veto based. Call a top level vn_lock to call the underlying VOP_LOCK. Move the vclean locking to the top level code. Now NULLFS will no longer crash. If you have a 2.1.5 kernel, take my patches from -current in June of 1995; they contain this fix. Using NULLFS, prototype an FS layer that sits on top of an FS using the following user name space intrusions: 1) If a file name starts with #<digit>, byte-stuff it to ##<digit> 2) Use all #<digit>... file names as names associated with a base inode number 3) Add in the stacking layer a VOP_IOCTL operation for ACL's. 4) Add subfunctions for "create/delete/add/delete/get" ACL. 5) Write a user space utility to manipulate ACL's. 6) For a file in the directory named "foo", with inode "1745", the ACL file will be named "#1745". 7) Store all ACL's in the appropriate file. I recommend a sparse file. 8) Modify the VOP's which take names and call the common lookup code to enforce your ACL's. 9) remount the FS using the new NULL-derived ACL layer onto the same mount point. When backing up, unmount the ACL layer so the backup utility can see the ACL containers as files in the underlying FS. 10) If you support reverse inheritance, modify the UFS create to store the parent directory inode in the underlying inode. Add an option to fsck (during pass 7) to set these for the first time you start using the new UFS code. You now have *real* ACL's. Otherwise, live with the "goofy" intermediate directory scheme... if you don't like it exposed in the namespace, hide it using symlinks. Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199612272349.QAA25559>